Home Did you know ? Why SMBs Must Conduct Rigorous Vendor Evaluation to Protect Themselves from Supply Chain Attacks

Why SMBs Must Conduct Rigorous Vendor Evaluation to Protect Themselves from Supply Chain Attacks

by Mic Johnson

In today’s interconnected cloud landscape, while it is absolutely vital for SMBs to rigorously safeguard their endpoints and networks, this is not the full story. It is also necessary to ensure that their roster of vendors is doing their part to thwart hackers and rogue insiders. Otherwise, a breached vendor can infect the entire supply chain — just ask victims of Solorigate, which experts are calling the most sophisticated cyber attack in history.

For Hackers, Size Doesn’t Matter

Speaking of Solorigate, while the list of high-profile victims is unprecedented (the Pentagon, the Department of Homeland Security, the U.S. Treasury, Cisco, Microsoft, Intel, Palo Alto Networks, the list goes on), SMBs should be under no illusion that, by dint of their size, they are somehow safe and out of harm’s way. Supply chain attacks have been around for decades, and they regularly target SMBs — which, unfortunately, are often quite easy to invade since, compared to big firms, they have relatively lax (and in some cases virtually non-existent) cybersecurity defenses.

Questions to Ask

Given what is at stake, SMBs must be proactive and reduce their risk exposure to supply chain attacks. And a pivotal way to do this is by conducting rigorous vendor evaluation with respect to cybersecurity. To help with this process, here are some of the key questions that SMBs should ask each prospective vendor:

  • Do you comply with relevant cybersecurity regulations and policies?
  • Do you have evidence of up-to-date cybersecurity certification (e.g., SOC 2, ISO 27001/1)?
  • Do you routinely test your cybersecurity resilience (e.g., penetration testing), and can you provide evidence of this?
  • Do you have network segmentation, application firewalls, and other policies in place to restrict access to object source code or application programs?
  • Do you provide your employees with ongoing security awareness training?

Vendors that affirm all of the above — and provide credible evidence — should make the shortlist. Vendors that fail to affirm all of the above should be removed from consideration, even if their product and price are relatively superior to competitors. Taking chances and cutting corners with cybersecurity is very unwise, given that the average cost of a single breach has surpassed $200,000, and the majority of SMBs go out of business within six months of a successful attack.

Other Approaches

Of course, rigorous vendor evaluation is not the only practice that SMBs should adopt to reduce their exposure to supply chain attacks. Other effective approaches include:

  • Implementing zero-trust architecture, which is micro-segmentation that moves the perimeter in as close as possible to privileged apps and protected surface areas.
  • Enforcing the principle of least privilege, which ensures that employees and contractors only have the access they need to carry out their day-to-day tasks and nothing more.
  • Implementing segregation of duties, which prevents a single individual from being responsible for carrying out conflicting duties.
  • Taking a defense-in-depth approach, which slows down attackers as much as possible through a variety of intricate defenses between networks and systems.
  • Auditing and monitoring privileged and shared accounts, such as domain administrator accounts, system accounts, application accounts, emergency access accounts, etc.

SMBs that lack the in-house cybersecurity expertise to design and deploy these strategies, technologies and policies should work with a qualified Managed Service Provider (MSP).

The Bottom Line

Hackers are encouraged and emboldened with the success of Solorigate — which persisted for nearly a year before it was finally detected — and as such we should expect many more supply chain attacks in the months and years ahead. SMBs can and must fight back, and they can start today by conducting rigorous vendor evaluation and ensuring that the companies they do business with are taking cybersecurity extremely seriously.

About the author:

As VP Sales and Marketing, Maxime Trottier leads Devolutions’ international market research and development efforts, along with customer relations and overall business development. He’s driven to bring innovative and cutting-edge solutions to Devolutions’ customers around the globe.

Maxime Trottier, VP Sales & Marketing, Devolutions

You may also like